Sponsor

Many security policies require you to change the port number of the SSH service to ensure greater security in a Linux system. Situation now used throughout the IT world and used mostly by users who have their own private server. Today I want to show you how to add another security layer without having to change the SSH port. To do this we’ll incorporate the famous Google Authenticator to our ssh service, in this way we’ll have a safe, two steps security, by entering our password and the combination given from the GA application. Let’s see how to do this…

The first step is to configure NTP on our Linux OS to have our time aligned with the Google servers.

Then download the application Google Authenticator for your mobile device:

copy the link: https://www.google.com/chart?chs=200×200&…. and paste it in the address bar of your browser, in this way you should see a qrcode.

Open the G.A. application on your mobile device, and go on ”Menu” -> “Configure Account”

Now tap on ”Read barcode”

Now, place the smartphone on the screen to read the bar code and generate the access codes.

It will appears immediately after the entry for your server (eg: root@hostname):

The application is ready, we go back on our Linux system and continue the configuration. We left the question:

Do you want me to update your "/root/.google_authenticator" file (y/n)

reply “y” to this and the other questions.

There is nothing left to do but to edit the pam configuration file with your favorite editor:

# nano /etc/pam.d/sshd

and add at the end of the file:

auth required pam_google_authenticator.so

save and change the sshd_config configuration file :

# nano /etc/ssh/sshd_config

you must change the item :

ChallengeResponseAuthentication no

to

ChallengeResponseAuthentication yes

save and restart the sshd service with the command:

For Debian/Ubuntu

# service ssh restart

For RHEL/CentOS

# service sshd restart

For ArchLinux

# systemctl restart sshd

At this point, we can test the solution by connecting to the server through ssh:

To enable the same code on other users of the system just copy the file /root/.google_authenticator in the user’s home. While if you want a token for each user just relaunch the command google-authenticator with the desired user.